trunk: 7 simple patches from dan.
This commit is contained in:
Chris PeBenito
parent
6649aec9d0
commit
f7101c5430
@ -39,11 +39,13 @@ dev_getattr_all_chr_files(locate_t)
|
|||||||
|
|
||||||
files_list_all(locate_t)
|
files_list_all(locate_t)
|
||||||
files_getattr_all_files(locate_t)
|
files_getattr_all_files(locate_t)
|
||||||
|
files_getattr_all_sockets(locate_t)
|
||||||
files_read_etc_runtime_files(locate_t)
|
files_read_etc_runtime_files(locate_t)
|
||||||
files_read_etc_files(locate_t)
|
files_read_etc_files(locate_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(locate_t)
|
fs_getattr_all_fs(locate_t)
|
||||||
fs_getattr_all_dirs(locate_t)
|
fs_getattr_all_files(locate_t)
|
||||||
|
fs_list_all(locate_t)
|
||||||
|
|
||||||
libs_use_shared_libs(locate_t)
|
libs_use_shared_libs(locate_t)
|
||||||
libs_use_ld_so(locate_t)
|
libs_use_ld_so(locate_t)
|
||||||
|
|||||||
@ -276,6 +276,25 @@ interface(`term_setattr_console',`
|
|||||||
allow $1 console_device_t:chr_file setattr;
|
allow $1 console_device_t:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel from and to the console type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`term_relabel_console',`
|
||||||
|
gen_require(`
|
||||||
|
type console_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dev_list_all_dev_nodes($1)
|
||||||
|
allow $1 console_device_t:chr_file { relabelfrom relabelto };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create the console device (/dev/console).
|
## Create the console device (/dev/console).
|
||||||
@ -1052,7 +1071,7 @@ interface(`term_write_all_user_ttys',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file { getattr write };
|
allow $1 ttynode:chr_file { getattr write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -28,7 +28,6 @@ dontaudit arpwatch_t self:capability sys_tty_config;
|
|||||||
allow arpwatch_t self:process signal_perms;
|
allow arpwatch_t self:process signal_perms;
|
||||||
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
|
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
|
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
|
|
||||||
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
|
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
|
||||||
allow arpwatch_t self:udp_socket create_socket_perms;
|
allow arpwatch_t self:udp_socket create_socket_perms;
|
||||||
allow arpwatch_t self:packet_socket create_socket_perms;
|
allow arpwatch_t self:packet_socket create_socket_perms;
|
||||||
@ -71,6 +70,8 @@ files_read_etc_files(arpwatch_t)
|
|||||||
files_read_usr_files(arpwatch_t)
|
files_read_usr_files(arpwatch_t)
|
||||||
files_search_var_lib(arpwatch_t)
|
files_search_var_lib(arpwatch_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(arpwatch_t)
|
||||||
|
|
||||||
libs_use_ld_so(arpwatch_t)
|
libs_use_ld_so(arpwatch_t)
|
||||||
libs_use_shared_libs(arpwatch_t)
|
libs_use_shared_libs(arpwatch_t)
|
||||||
|
|
||||||
@ -78,8 +79,6 @@ logging_send_syslog_msg(arpwatch_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(arpwatch_t)
|
miscfiles_read_localization(arpwatch_t)
|
||||||
|
|
||||||
sysnet_read_config(arpwatch_t)
|
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
|
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
|
userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
|
||||||
|
|
||||||
@ -91,14 +90,6 @@ ifdef(`targeted_policy',`
|
|||||||
files_dontaudit_read_root_files(arpwatch_t)
|
files_dontaudit_read_root_files(arpwatch_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
nis_use_ypbind(arpwatch_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
corecmd_search_bin(arpwatch_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(arpwatch_t)
|
seutil_sigchld_newrole(arpwatch_t)
|
||||||
')
|
')
|
||||||
|
|||||||
@ -18,7 +18,7 @@ files_pid_file(avahi_var_run_t)
|
|||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow avahi_t self:capability { dac_override setgid chown kill setuid sys_chroot };
|
allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
|
||||||
dontaudit avahi_t self:capability sys_tty_config;
|
dontaudit avahi_t self:capability sys_tty_config;
|
||||||
allow avahi_t self:process { setrlimit signal_perms setcap };
|
allow avahi_t self:process { setrlimit signal_perms setcap };
|
||||||
allow avahi_t self:fifo_file { read write };
|
allow avahi_t self:fifo_file { read write };
|
||||||
@ -75,8 +75,6 @@ logging_send_syslog_msg(avahi_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(avahi_t)
|
miscfiles_read_localization(avahi_t)
|
||||||
|
|
||||||
sysnet_read_config(avahi_t)
|
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
|
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
|
||||||
|
|
||||||
|
|||||||
@ -145,6 +145,7 @@ optional_policy(`
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
snmp_read_snmp_var_lib_files(cyrus_t)
|
snmp_read_snmp_var_lib_files(cyrus_t)
|
||||||
|
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|||||||
@ -253,6 +253,24 @@ interface(`mailman_read_data_symlinks',`
|
|||||||
read_lnk_files_pattern($1,mailman_data_t,mailman_data_t)
|
read_lnk_files_pattern($1,mailman_data_t,mailman_data_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Append to mailman logs.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mailman_append_log',`
|
||||||
|
gen_require(`
|
||||||
|
type mailman_log_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
append_files_pattern($1,mailman_log_t,mailman_log_t)
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete
|
## Create, read, write, and delete
|
||||||
|
|||||||
@ -58,6 +58,25 @@ interface(`networkmanager_rw_routing_sockets',`
|
|||||||
allow $1 NetworkManager_t:netlink_route_socket { read write };
|
allow $1 NetworkManager_t:netlink_route_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute NetworkManager with a domain transition.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`networkmanager_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type NetworkManager_t, NetworkManager_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive messages from
|
## Send and receive messages from
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user